Bug in OllyScript 0.92? [Archive] - RCE Messageboard's Regroupment

View Full Version : Bug in OllyScript 0.92?

Anonymous

December 19th, 2004, 17:50

The OllyScript ASM command appears to generate incorrect opcodes in some cases. For example,

ASM someaddress, "mov al, 01"

generates opcodes C6,C0,01 and $RESULT returns = 3.

(of course the correct opcodes should be B0, 01)

A number of other ASM commands also generate incorrect opcode.

I can't find any other references to this problem in the forum and I'm using the latest download of 0.92 OllyScript and Ollydbg 1.10.

Any help would be appreciated please.

focht

December 31st, 2004, 04:43

Hi,

the generated opcode is valid (3-byte version: opcode, addressing mode byte, 1-byte immediate constant).
The other version (2 byte) is of course valid too.
There are several mnemonics which can be expressed with different opcode sequences.
For your case i assume the plugin uses ollydbg API function "assemble()" and returns the first version - which is the 3-byte version in this case.
This selection might not be optiomal in all cases but it's valid.

To get all possible opcode versions of one mnemonic the plugin would have to loop until error...

pseudocode:

char errtext[TEXTLEN];
t_asmmodel model;
int index=0;
while( assemble( <mnemonic>, <ip>, &model, index++, 0, errtext) > 0)
{
// do something with returned opcodes (model.code)

}

In your case "assemble( "mov al,01", ....)" would iterate 2 times, returning the 3-byte version and in 2nd iteration the 2-byte version.

Hope you understand the plugin behaviour now...

Regards

ABend

January 9th, 2005, 14:01

Hi focht,
Thanks - I now understand what's happening here.

I am using a sequence of Ollyscript plugin "ASM" commands in a script to automate the injection of a lengthy bit of code. I now see why the Ollyscript generated code is not the same as if I use the "Assemble" (ie "space bar"

command directly in Ollydbg itself.

For example, the Ollydbg "Assemble" command always generates the 2 byte opcode sequence for mov al, 1. The Ollyscript ASM eip, "mov al, 1" command always generates the 3 byte opcode variant. This behaviour in ollyscript for several instruction types makes it trickier to inject code in tight places.

It would be useful to be able to switch between ASM generated opcode variants in ollyscript to match exactly how ollydbg behaves.

There may also be some way to get ollydbg and ollyscript to generate the same opcodes?

Thanks again for your help

Regards
ABend

loveboom

May 7th, 2005, 21:10

yup this is a bug in ollyscript v0.92.

haggar

May 8th, 2005, 13:42

I don't know for you guys, but I noticed that lot my scripts produce some errors or incorect results which I cannot find reason.